AWS Cognito数据集和Google Identity Toolkit错误

Question

I am using the new(somewhat) Google Identity Toolkit and I am facing a strange issue.

The JWT token generated by it is the following:

{
  "alg": "RS256",
  "kid": "qwYevA"
}
{
  "iss": "https://identitytoolkit.google.com/",
  "aud": "950882198692-jrb8d5t979qahaechf5gd4t3g59gpvou.apps.googleusercontent.com",
  "iat": 1444275809,
  "exp": 1445485409,
  "user_id": "05244125885327377646",
  "email": "**********@gmail.com",
  "provider_id": "facebook.com",
  "verified": false,
  "display_name": "NOT_MY_NAME",
  "photo_url": "https://fbcdn-profile-a.akamaihd.net/hprofile-ak-xaf1/v/t1.0-1/c155.48.597.597/s50x50/notmyphotonotmyphotonotmyphotonotmyphoto.jpg?oh=notmyphotonotmyphotonotmyphotonotmyphoto&oe=notmyphoto&__gda__=notmyphotonotmyphotonotmyphotonotmyphotonotmyphoto"
} 
{
*signature*
}

I am properly setting the iss :

CognitoSyncClientManager.addLogins("https://identitytoolkit.google.com/",
                  idToken.getTokenString());

The error appears whenever I try to sync a dataset:

 Dataset dataset = syncClient.openOrCreateDataset("myTestDataset");
    dataset.put("myTestKey", "myTestValue");
    dataset.synchronize(new DefaultSyncCallback() {
        @Override
        public void onSuccess(Dataset dataset, List newRecords) {
            System.out.println(dataset.get("myTestKey"));
        }
    });

The error log:

com.google.identitytoolkit.demo E/DefaultSyncCallback: Failure occurred during sync
***: com.amazonaws.mobileconnectors.cognito.exceptions.DataStorageException: Failed to list records in dataset: myTestDataset
***:     at com.amazonaws.mobileconnectors.cognito.internal.storage.CognitoSyncStorage.handleException(CognitoSyncStorage.java:293)
***:     at com.amazonaws.mobileconnectors.cognito.internal.storage.CognitoSyncStorage.listUpdates(CognitoSyncStorage.java:152)
***:     at com.amazonaws.mobileconnectors.cognito.DefaultDataset.synchronizeInternal(DefaultDataset.java:388)
***:     at com.amazonaws.mobileconnectors.cognito.DefaultDataset$1.run(DefaultDataset.java:149)
***:     at java.lang.Thread.run(Thread.java:818)
***:  Caused by: com.amazonaws.AmazonServiceException: 1 validation error detected: Value '{https://identitytoolkit.google.com/=eyJhb---*MASSIVE-JWT*---c5demjsRlQtqjz8A}' at 
'logins' failed to satisfy constraint: Map keys must satisfy constraint: [Member must have length less than or equal to 128, Member must have length greater than or equal to 1, 
Member must satisfy regular expression pattern: [\w._/-]+] (Service: AmazonCognitoIdentity; Status Code: 400; Error Code: ValidationException; Request ID: ab0d6028-6d80-11e5-ac9f-33bc83bfc548)
......
***: failed to synchronize myTestDataset

---

So, what could I be doing wrong?

This is my first time working the AWS and I am fairly new with JWT aswell. Any help is appreciated.

I should mention that I am using classes and samples from this project: https://github.com/awslabs/aws-sdk-android-samples/tree/master/CognitoSyncDemo

Answer 1

Google's OpenID Connect issuer name is "accounts.google.com", and that's what should be passed as the first parameter of addLogins instead of "" https://identitytoolkit.google.com/ " for Google tokens.

However, it looks like your token actually specifies " https://identitytoolkit.google.com/ " as issuer. If that's the kind of tokens you are receiving from the Identity Toolkit, I'm afraid you won't be able to use them to authenticate with Google using Cognito as that is not a valid OpenID Connect issuer according to this . It might be worth asking the Identity Toolkit guys about that, because it looks like a bug on their side.